A Guide to Mastering Asset Tracking
Physical Asset tracking is a critical aspect of cybersecurity and it is especially important for small and medium-sized businesses (SMBs) to ensure the security and protection of their data and systems. It is so critical that it’s the first item on the NIST CSF (National Institute of Standards and Technology Cybersecurity Framework). Below is a step-by-step guide to help you implement an effective NIST CSF-compliant asset tracking system.
Why is Asset Management Important?
Asset Management is important because you cannot defend what you do not know exists. This is all about having all your physical devices and systems in your business inventoried. Having a list of physical systems and devices that are accessing your data will let you correlate gaps in security coverage. Aside from the security concerns it can save money by reducing duplicate spending especially when dealing with employee turnover.
Step 1: Choose the Right System
When selecting an asset tracking system, it is essential to choose a system that not only meets your business needs but also aligns with NIST CSF standards. In a perfect work you’d let us track this all for and you wouldn’t need to hassle with the effort. In a slightly less perfect world you’d look for a system that offers encryption for sensitive data, secure login and authentication and a way to ensure the data can be backed up and recovered process in case of any issues. Of course the reality is that most small and medium businesses don’t operate in a perfect world. This physical inventory truly is important, so if you need to bust out Excel and just get it done! You can download a simple example Excel template from HERE.
Step 2: Set Up Your System
Once you have chosen the right system it’s time to set it up. This may involve creating user accounts and customizing the system to meet your specific requirements. Different systems will track different information out of the box. Is there information unique to the company that is important to track? Can unimportant info fields be removed to simplify things? Some examples include does the company care about warranty expirations? Will it be tracking who each device is assigned to? Will model numbers or serial numbers be tracked? If your system is Excel then this may be as simple as adding/removing columns.
Step 3: Identify Your Assets
Now comes the actual work. Identifying all the devices and systems in the network. This will include servers, laptops, desktops, phones (cell and desk), routers, firewall, network switches (including the ones behind the desks) etc. Really everything that uses the network that you can touch. If your office is fancy and the coffee maker has an app, include it on the list. There are tools that will scan a network for devices. If needed walk from desk to desk then to the network closet. Don’t skimp on this step! For bonus points this may be a good time to indicate if this device is know to hold sensitive information such as credit card numbers, social security numbers or any other information that could be used to identify a person. If you are in the medical field patient records would fall under this.
Step 4: Monitor and Update Your System
This inventory should be a living, breathing document maintained in real time. Make this your New Years goal right along with your fitness goals. That way you will be sure its updated for at least a week each year. Depending on the company’s size multiple people may deal with onboarding/offboarding and purchasing. You may be even have this outsourced to a third party. Creating a policy and procedure and having these people/teams update the spreadsheet directly may serve to increase the accuracy of the inventory. Consider using automated alerts and notifications to keep track of changes to your assets.
Step 5: Evaluate Your System
It’s important to evaluate your asset tracking system on a regular basis to ensure that it is meeting your business needs. Is it time to ditch Excel? Has the information tracked still relevant? Does new information need to be tracked? Is the inventory being updated regularly and properly? Does anyone have access that shouldn’t? Is it finally time to add that new graph you learned how to make on your last webinar?
Implementing an effective asset tracking system is the first step for businesses to secure their assets and data and the first step of aligning with the NIST CSF. By choosing the right system, setting it up securely, identifying assets, monitoring the system and evaluating it regularly, businesses can help ensure that their assets are secure and that they in line with the best practices for cybersecurity. Remember, you cannot defend what you do not know exists. It is our hope that you take this information and use it to help secure your business. If you’d like more information or would like help gathering and maintaining an inventory give us a call today!